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Executive  Summary 


In  the  2011  report  to  Congress  on  Foreign  Spies  Stealing  U.S.  Economic  Secrets  in  Cyberspace, 
the  Office  of  the  National  Counterintelligence  Executive  provided  a  baseline  assessment  of  the 
many  dangers  facing  the  U.S.  research,  development,  and  manufacturing  sectors  when  operating  in 
cyberspace,  the  pervasive  threats  posed  by  foreign  intelligence  services  and  other  threat  actors,  and 
the  industries  and  technologies  most  likely  at  risk  of  espionage.  The  2018  report  provides  additional 
insight  into  the  most  pervasive  nation-state  threats,  and  it  includes  a  detailed  breakout  of  the 
industrial  sectors  and  technologies  judged  to  be  of  highest  interest  to  threat  actors.  It  also  discusses 
several  potentially  disruptive  threat  trends  that  warrant  close  attention. 

This  report  focuses  on  the  following  issues 


Foreign  economic  and  industrial  espionage  against  the  United  States  continues  to  represent  a  significant 
threat  to  America's  prosperity,  security,  and  competitive  advantage.  Cyberspace  remains  a  preferred 
operational  domain  for  a  wide  range  of  industrial  espionage  threat  actors,  from  adversarial  nation¬ 
states,  to  commercial  enterprises  operating  under  state  influence,  to  sponsored  activities  conducted 
by  proxy  hacker  groups.  Next-generation  technologies,  such  as  Artificial  Intelligence  (Al)  and  the 
Internet-of-Things  (loT)  will  introduce  new  vulnerabilities  to  U.S.  networks  for  which  the  cybersecu¬ 
rity  community  remains  largely  unprepared.  Building  an  effective  response  will  require  understanding 
economic  espionage  as  a  worldwide,  multi-vector  threat  to  the  integrity  of  the  U.S.  economy  and 
global  trade. 

Foreign  intelligence  services — and  threat  actors  working  on  their  behalf — continue  to  represent  the  most 
persistent  and  pervasive  cyber  intelligence  threat  China,  Russia,  and  Iran  stand  out  as  three  of  the 
most  capable  and  active  cyber  actors  tied  to  economic  espionage  and  the  potential  theft  of  U.S.  trade 
secrets  and  proprietary  information.  Countries  with  closer  ties  to  the  United  States  also  have  con¬ 
ducted  cyber  espionage  to  obtain  U.S.  technology.  Despite  advances  in  cybersecurity,  cyber  espio¬ 
nage  continues  to  offer  threat  actors  a  relatively  low-cost,  high-yield  avenue  of  approach  to  a  wide 
spectrum  of  intellectual  property. 

A  range  of  potentially  disruptive  threat  trends  warrant  attention.  Software  supply  chain  infiltration  already 
threatens  the  critical  infrastructure  sector  and  is  poised  to  threaten  other  sectors.  Meanwhile,  new 
foreign  laws  and  increased  risks  posed  by  foreign  technology  companies  due  to  their  ties  to  host  gov¬ 
ernments,  may  present  U.S.  companies  with  previously  unforeseen  threats. 

Cyber  economic  espionage  is  but  one  facet  of  the  much  larger,  global  economic  espionage  challenge. 
We  look  forward  to  engaging  in  the  larger  public  discourse  on  mitigating  the  national  economic  harm 
caused  by  these  threats. 


Scope  Note 


This  report  is  submitted  in  compliance  with  the  National  Defense  Authorization  Act  for  Fiscal  Year 
2015,  Section  1637,  which  requires  that  the  President  annually  submit  to  Congress  a  report  on  foreign 
economic  espionage  and  industrial  espionage  in  cyberspace  during  the  12-month  period  preceding 
the  submission  of  the  report. 

Definitions  of  Key  Terms 


For  the  purpose  of  this  report,  key  terms  were  defined  according  to  definitions  provided  in  Section 
1637  of  the  National  Defense  Authorization  Act  for  Fiscal  Year  2015. 

Economic  or  Industrial  Espionage  means  (a)  stealing  a  trade  secret  or  proprietary  information  or 
appropriating,  taking,  carrying  away,  or  concealing,  or  by  fraud,  artifice,  or  deception  obtaining,  a 
trade  secret  or  proprietary  information  without  the  authorization  of  the  owner  of  the  trade  secret  or 
proprietary  information;  (b)  copying,  duplicating,  downloading,  uploading,  destroying,  transmitting, 
delivering,  sending,  communicating,  or  conveying  a  trade  secret  or  proprietary  information  with¬ 
out  the  authorization  of  the  owner  of  the  trade  secret  or  proprietary  information;  or  (c)  knowingly 
receiving,  buying,  or  possessing  a  trade  secret  or  proprietary  information  that  has  been  stolen  or 
appropriated,  obtained,  or  converted  without  the  authorization  of  the  owner  of  the  trade  secret  or 
proprietary  information. 

Cyberspace  means  (a)  the  interdependent  network  of  information  technology  infrastructures;  and  (b) 
includes  the  Internet,  telecommunications  networks,  computer  systems,  and  embedded 
processors  and  controllers. 


Contributors 


The  National  Counterintelligence  and  Security  Center  (NCSC)  compiled  this  report,  with  close  sup¬ 
port  from  the  CyberThreat  Intelligence  Integration  Center  (CTIIC),  and  with  input  and  coordination 
from  many  U.S.  Government  organizations,  including  the  Central  Intelligence  Agency  (CIA),  Defense 
Cyber  Crime  Center  (DC3),  Defense  Intelligence  Agency  (DIA),  Defense  Security  Service  (DSS), 
Department  of  Energy  (DoE),  Department  of  Defense  (DoD),  Department  of  Homeland  Security 
(DHS),  Department  of  State  (DoS),  Department  ofTreasury  (Treasury),  Federal  Bureau  of  Investiga¬ 
tion  (FBI),  National  Cyber  Investigative  Joint  Task  Force  (NCIJTF),  National  Geospatial-Intelligence 
Agency  (NGA),  National  Reconnaissance  Office  (NRO),  National  Security  Agency  (NSA),  and  Office 
of  the  Director  of  National  Intelligence  (ODNI). 
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I.  The  Strategic  Threat  of  Cyber  Economic  Espionage 


Foreign  economic  and  industrial  espionage  against  the  United  States  continues  to  represent 
a  significant  threat  to  America's  prosperity,  security,  and  competitive  advantage.  Cyberspace 
remains  a  preferred  operational  domain  for  a  wide  range  of  industrial  espionage  threat  actors,  from 
adversarial  nation-states,  to  commercial  enterprises  operating  under  state  influence,  to  sponsored 
activities  conducted  by  proxy  hacker  groups.  Next-generation  technologies  such  as  Artificial 
Intelligence  (Al)  and  the  Internet-of-Things  (loT)  will  introduce  new  vulnerabilities  to  U.S.  networks 
for  which  the  cybersecurity  community  remains  largely  unprepared.  Building  an  effective  response 
demands  understanding  economic  espionage  as  a  worldwide,  multi-vector  threat  to  the  integrity  of 
the  U.S.  economy  and  global  trade. 

The  United  States  remains  a  global  center  for  research,  development,  and  innovation  across  multiple 
high-technology  sectors.  Federal  research  institutions,  universities,  and  corporations  are  regularly 
targeted  by  online  actors  seeking  all  manner  of  proprietary  information  and  the  overall  long-term 
trend  remains  worrisome. 

While  next  generation  technologies  will  introduce  a  range  of  qualitative  advances  in  data  storage, 
analytics,  and  computational  capacity,  they  also  present  potential  vulnerabilities  for  which  the 
cybersecurity  community  remains  largely  unprepared.  The  solidification  of  cloud  computing  over  the 
past  decade  as  a  global  information  industry  standard,  coupled  with  the  deployment  of  technologies 
such  as  Al  and  loT,  will  introduce  unforeseen  vulnerabilities  to  U.S.  networks. 


•  Cloud  networks  and  loT  infrastructure 
are  rapidly  expanding  the  global  online 
operational  space.  Threat  actors  have 
already  demonstrated  how  cloud  can  be 
used  as  a  platform  for  cyber  exploitation. 

As  loT  and  Al  applications  expand  to 
empower  everything  from  "smart  homes" 
to  "smart  cities','  billions  of  potentially 
unsecured  network  nodes  will  create  an 
incalculably  larger  exploitation  space  for 
cyber  threat  actors. 

•  Lack  of  industry  standardization  during 
this  pivotal  first-generation  deployment 
period  will  likely  hamperthe  development 
of  comprehensive  security  solutions  in  the 
near-term. 


•  Building  an  effective  response  demands 
understanding  economic  espionage 
as  a  worldwide,  multi-vector  threat  to 
the  integrity  of  both  the  U.S.  economy 
and  global  trade.  Whereas  cyberspace 
is  a  preferred  operational  domain  for 
economic  espionage,  it  is  but  one  of 
many.  Sophisticated  threat  actors,  such  as 
adversarial  nation-states,  combine  cyber 
exploitation  with  supply  chain  operations, 
human  recruitment,  and  the  acquisition 
of  knowledge  by  foreign  students  in  U.S. 
universities,  as  part  of  a  strategic  technology 
acquisition  program. 


II.  Threats  from  Foreign  Countries 


Foreign  intelligence  services — and  threat  actors  working  on  their  behalf — continue  to  represent  the 
most  persistent  and  pervasive  cyber  intelligence  threat.  China,  Russia,  and  Iran  stand  out  as  three 
of  the  most  capable  and  active  cyber  actors  tied  to  economic  espionage  and  the  potential  theft  of 
U.S.  trade  secrets  and  proprietary  information.  Countries  with  closer  ties  to  the  United  States  have 
also  conducted  cyber  espionage  to  obtain  U.S.  technology.  Despite  advances  in  cybersecurity,  cyber 
espionage  continues  to  offer  threat  actors  a  relatively  low-cost,  high-yield  avenue  of  approach  to  a 
wide  spectrum  of  intellectual  property. 

We  anticipate  that  China,  Russia,  and  Iran  will  remain  aggressive  and  capable  collectors  of  sensitive 
U.S.  economic  information  and  technologies,  particularly  in  cyberspace.  All  will  almost  certainly 
continue  to  deploy  significant  resources  and  a  wide  array  of  tactics  to  acquire  intellectual  property 
and  proprietary  information. 

Countries  with  closer  ties  to  the  United  States  have  conducted  cyber  espionage  and  other  forms  of 
intelligence  collection  to  obtain  U.S.  technology,  intellectual  property,  trade  secrets,  and  proprietary 
information.  U.S.  allies  or  partners  often  take  advantage  of  the  access  they  enjoy  to  collect  sensitive 
military  and  civilian  technologies  and  to  acquire  know-how  in  priority  sectors. 


China:  Persistent  Cyber  Activities 


China  has  expansive  efforts  in  place  to  acquire  U.S.  technology  to  include  sensitive  trade 
secrets  and  proprietary  information.  It  continues  to  use  cyber  espionage  to  support  its  strategic 
development  goals — science  and  technology  advancement,  military  modernization,  and  economic 
policy  objectives.  China's  cyberspace  operations  are  part  of  a  complex,  multipronged  technology 
development  strategy  that  uses  licit  and  illicit  methods  to  achieve  its  goals.  Chinese  companies  and 
individuals  often  acquire  U.S.  technology  for  commercial  and  scientific  purposes.  At  the  same  time, 
the  Chinese  government  seeks  to  enhance  its  collection  of  U.S.  technology  by  enlisting  the  support 
of  a  broad  range  of  actors  spread  throughout  its  government  and  industrial  base. 
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China's  Strategic  Goals 


at 

Non-Traditional  Collectors 

China  uses  individuals  for  whom  science  or  business  is  their  primary  profession  to  target  and 
acquire  US  technology. 

© 

Joint  Ventures  (JV) 

China  uses  JVs  to  acquire  technology  and  technical  know-how. 

i 

Research  partnerships 

China  actively  seeks  partnerships  with  government  laboratories-such  as  the  Department  of  Energy 
labs-to  learn  about  and  acquire  specific  technology,  and  the  soft  skills  necessary  to  run  such  facilities. 

Academic  Collaborations 

China  uses  collaborations  and  relationships  with  universities  to  acquire  specific  research  and 
gain  access  to  high-end  research  equipment.  Its  policies  state  it  should  exploit  the  openness 
of  academia  to  fill  China's  strategic  gaps. 

S&T  Investments 

China  has  sustained,  long-term  state  investments  in  its  S&T  infrastructure. 

ri 

M&A 

China  seeks  to  buy  companies  that  have  technology,  facilities  and  people.  These  sometimes 
end  up  as  Committee  on  Foreign  Investment  in  the  United  States  (CFIUS)  cases. 

ffl 

Front  Companies 

China  uses  front  companies  to  obscure  the  hand  of  the  Chinese  government  and  acquire  export 
controlled  technology. 

Talent  Recruitment  Programs 

China  uses  its  talent  recruitment  programs  to  find  foreign  experts  to  return  to  China  and  work 
on  key  strategic  programs. 

Intelligence  Services 

The  Ministry  of  State  Security  (MSS),  and  military  intelligence  offices  are  used  in  China’s 
technology  acquisition  efforts. 

Legal  and  Regulatory 
Environment 

China  uses  its  laws  and  regulations  to  disadvantage  foreign  companies  and  advantage  its 
own  companies. 
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The  Intelligence  Community  and  private  sector  security  experts  continue  to  identify  ongoing 
Chinese  cyber  activity,  although  at  lower  volumes  than  existed  before  the  bilateral  September 
2015  U.S. -China  cyber  commitments.  Most  Chinese  cyber  operations  against  U.S.  private  industry 
that  have  been  detected  are  focused  on  cleared  defense  contractors  or  IT  and  communications 
firms  whose  products  and  services  support  government  and  private  sector  networks  worldwide. 
Examples  of  identified  ongoing  Chinese  cyber  activity  include  the  following: 


•  According  to  several  cyber  intelligence 
companies,  in  2017  the  China-associated 
cyber  espionage  group  APT10  continued 
widespread  operations  to  target  engineering, 
telecommunications,  and  aerospace 
industries.  APT10  targeted  companies 
across  the  globe,  including  the  United  States, 
using  its  exploitation  of  managed  IT 
service  providers  as  a  means  to  conduct 
such  operations. 

•  Cybersecurity  researchers  have  found 
links  between  Chinese  cyber  actors 
and  a  back  door  in  the  popular  CCleaner 
application  that  allowed  the  actors  to  target 
U.S.  companies,  including  Google, 

Microsoft,  Intel,  and  VMware. 


•  In  November  2017,  PricewaterhouseCoopers 
(PWC)  reported  that  the  China-based  APT 
known  as  KeyBoy,  was  shifting  its  focus  to 
target  Western  organizations.  According  to 
PWC,  the  targeting  likely  was  for  corporate 
espionage  purposes.  KeyBoy  previously 
focused  on  Asian  targets,  according  to 
commercial  cybersecurity  reporting. 

•  According  to  FireEye,  in  2017  TEMRPeriscope 
continued  targeting  the  maritime  industry 

as  well  as  engineering-focused  entities 
including  research  institutes,  academic 
organizations,  and  private  firms  in  the  United 
States.  FireEye  has  detected  sharp  increases 
in  targeting  in  early  2018  as  well. 


Recent  Unsealed  U.S.  Indictment  With  a  Linkto  China 

In  November  2017,  Wu  Yingzhuo,  Dong  Flao  and  Xia  Lei,  Chinese  nationals  and  residents  of 
China,  were  charged  with  computer  hacking,  theft  of  trade  secrets,  conspiracy,  and  identity 
theft.  These  efforts  were  directed  at  U.S.  and  foreign  employees  and  the  computers  of 
three  corporations  that  were  victims  in  the  financial,  engineering,  and  technology  industries 
between  2011  and  May  2017. 


We  believe  that  China  will  continue  to  be  a  threat  to  U.S.  proprietary  technology  and  intellectual 
property  through  cyber-enabled  means  or  other  methods.  If  this  threat  is  not  addressed,  it  could 
erode  America's  long-term  competitive  economic  advantage. 


Russia:  A  Sophisticated  Adversary 


The  threat  to  U.S.  technology  from  Russia  will  continue  over  the  coming  years  as  Moscow  attempts 
to  bolster  an  economy  struggling  with  endemic  corruption,  state  control,  and  a  loss  of  talent 
departing  for  jobs  abroad.  Moscow's  military  modernization  efforts  also  likely  will  be  a  motivating 
factor  for  Russia  to  steal  U.S.  intellectual  property.  An  aggressive  and  capable  collector  of  sensitive 
U.S.  technologies,  Russia  uses  cyberspace  as  one  of  many  methods  for  obtaining  the  necessary 
know-how  and  technology  to  grow  and  modernize  its  economy.  Other  methods  include  the  following: 

•  Use  of  Russian  commercial  and  academic  •  Russian  intelligence  penetration  of  public 

enterprises  that  interact  with  the  West;  and  private  enterprises,  which  enable  the 

government  to  obtain  sensitive  technical 

•  Recruitment  of  Russian  immigrants  with  information  from  industry, 

advanced  technical  skills  by  the  Russian 

intelligence  services;  and 

Russia  uses  cyber  operations  as  an  instrument  of  intelligence  collection  to  inform  its  decision¬ 
making  and  benefit  its  economic  interests.  Experts  contend  that  Russia  needs  to  enact  structural 
reforms,  including  economic  diversification  into  sectors  such  as  technology,  to  achieve  the  higher 
rate  of  gross  domestic  product  growth  publicly  called  for  by  Russian  President  Putin.  In  support 
of  that  goal,  Russian  intelligence  services  have  conducted  sophisticated  and  large-scale  hacking 
operations  to  collect  sensitive  U.S.  business  and  technology  information.  In  addition,  Moscow  uses 
a  range  of  other  intelligence  collection  operations  to  steal  valuable  economic  data: 


•  In  2016,  the  hacker  "Eas7"  confided  to 
Western  press  that  she  had  collaborated 
with  the  Russian  Federal  Security  Service 
(FSB)  on  economic  espionage  missions.  She 
estimated  that  "among  the  good  hackers, 

at  least  half  works  (sic)  for  government 
structures,"  suggesting  Moscow  employs 
cyber  criminals  as  a  way  to  make  such 
operations  plausibly  deniable. 

•  Moscow  has  used  cyber  operations  to 
collect  intellectual  property  data  from 
U.S.  energy,  healthcare,  and  technology 
companies.  For  example,  Russian 
Government  hackers  last  year  compromised 
dozens  of  U.S.  energy  firms,  including  their 
operational  networks.  This  activity  could 


be  driven  by  multiple  objectives,  including 
collecting  intelligence,  developing  accesses 
for  disruptive  purposes,  and  providing 
sensitive  U.S.  intellectual  property  to 
Russian  companies. 

•  Since  at  least  2007,  the  Russian  state- 
sponsored  cyber  program  APT28  has 
routinely  collected  intelligence  on  defense 
and  geopolitical  issues,  including  those 
relating  to  the  United  States  and  Western 
Europe.  Obtaining  sensitive  U.S.  defense 
industry  data  could  provide  Moscow  with 
economic  (e.g.  in  foreign  military  sales)  and 
security  advantages  as  Russia  continues  to 
strengthen  and  modernize  its  military  forces. 


Recent  Unsealed  U.S.  Indictment  with  a  Link  to  Russia 


In  March  2017,  the  United  States  Department  of  Justice  indicted  two  FSB  officials  and  their 
Russian  cybercriminal  conspirators  on  computer  hacking  and  conspiracy  charges  related 
to  the  collection  of  emails  of  U.S.  and  European  employees  of  transportation  and  financial 
services  firms.  The  charges  included  conspiring  to  engage  in  economic  espionage  and  theft 
of  trade  secrets. 


We  believe  that  Russia  will  continue  to  conduct  aggressive  cyber  operations  during  the  next  year 
against  the  United  States  and  its  allies  as  part  of  a  global  intelligence  collection  program  focused 
on  furthering  its  security  interests.  Although  cyber  operations  are  just  one  element  of  Russia's 
multipronged  approach  to  information  collection,  they  give  Russia's  intelligence  services  a  more 
agile  and  cost-efficient  tool  to  accomplish  Moscow's  objectives.  Indeed,  Russian  cyber  actors  are 
continuing  to  develop  their  cyber  tradecraft — such  as  using  open-source  hacking  tools  that  minimize 
forensic  connections  to  Russia. 

Iran:  An  Increasing  Cyber  Threat 


Iranian  cyber  activities  are  often  focused  on  Middle  Eastern  adversaries,  such  as  Saudi  Arabia  and 
Israel:  however,  in  2017  Iran  also  targeted  U.S.  networks.  A  subset  of  this  Iranian  cyber  activity 
aggressively  targeted  U.S.  technologies  with  high  value  to  the  Iranian  government.  The  loss  of 
sensitive  information  and  technologies  not  only  presents  a  significant  threat  to  U.S.  national  security. 
It  also  enables  Tehran  to  develop  advanced  technologies  to  boost  domestic  economic  growth, 
modernize  its  military  forces,  and  increase  its  foreign  sales.  Examples  of  recent  Iranian  cyber 
activities  include  the  following: 


•  The  Iranian  hacker  group  Rocket  Kitten 
consistently  targets  U.S.  defense  firms, 
likely  enabling  Tehran  to  improve  its  already 
robust  missile  and  space  programs 

with  proprietary  and  sensitive  U.S. 
military  technology. 

•  Iranian  hackers  target  U.S.  aerospace 
and  civil  aviation  firms  by  using  various 
website  exploitation,  spearphishing, 
credential  harvesting,  and  social 
engineering  techniques. 


•  The  OilRig  hacker  group,  which  historically 
focuses  on  Saudi  Arabia,  has  increased  its 
targeting  of  U.S.  financial  institutions  and 
information  technology  companies. 

•  The  Iranian  hacker  group  APT33  has 
targeted  energy  sector  companies  as  part 
of  Iran's  national  priorities  for  improving  its 
petrochemical  production  and  technology. 

•  Iranian  hackers  have  targeted  U.S.  academic 
institutions,  stealing  valuable  intellectual 
property  and  data. 


Recent  Unsealed  U.S.  Indictments  with  a  Link  to  Iran 

In  July  2017,  Iranian  nationals  Mohammed  Reza  Rezakhah  and  Mohammed  Saeed  Ajily  were 
charged  with  hacking  into  U.S.  software  companies,  stealing  their  proprietary  software,  and 
selling  the  stolen  software  to  Iranian  universities,  military  and  government  entities,  and  other 
buyers  outside  of  the  United  States. 

In  November  2017,  Iranian  national  Behzad  Mesri  was  charged  with  allegedly  hacking  HBO's 
corporate  systems,  stealing  intellectual  property  and  proprietary  data,  to  include  scripts  and 
plot  summaries  for  unaired  episodes.  Mesri  had  previously  hacked  computer  systems  for  the 
Iranian  military  and  has  been  a  member  of  an  Iran-based  hacking  group  called  theTurk  Black 
Hat  security  team. 

In  March  2018,  nine  Iranian  hackers  associated  with  the  Mabna  Institute  were  charged 
with  stealing  intellectual  property  from  more  than  144  U.S.  universities  which  spent 
approximately  $3.4  billion  to  procure  and  access  the  data.  The  data  was  stolen  at  the  behest 
of  Iran's  Islamic  Revolutionary  Guard  Corps  and  used  to  benefit  the  government  of  Iran 
and  other  Iranian  customers,  including  Iranian  universities.  Mabna  Institute  actors  also 
targeted  and  compromised  36  U.S.  businesses. 


We  believe  that  Iran  will  continue  working  to  penetrate  U.S.  networks  for  economic  or  industrial 
espionage  purposes.  Iran's  economy — still  driven  heavily  by  petroleum  revenue — will  depend 
on  growth  in  nonoil  industries  and  we  expect  Iran  will  continue  to  exploit  cyberspace  to  gain 
advantages  in  these  industries.  Iran  will  remain  committed  to  using  its  cyber  capabilities  to  attain 
key  economic  goals,  primarily  by  continuing  to  steal  intellectual  property,  in  an  effort  to  narrow  the 
science  and  technology  gap  between  Iran  and  Western  countries. 
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Targeted  Technologies 


Although  many  aspects  of  U.S.  economic  activity  and  technology  are  of  potential  interest  to  foreign 
intelligence  collectors,  we  judge  that  the  highest  interest  is  in  the  following  areas: 


Industry 

Priority  Sectors /Technologies 

Energy/ 

Alternative  Energy 

•  Advanced  pressurized  water  reactor  •  Oil,  gas,  and  coalbed  methane  development, 

and  high-temperature,  gas-cooled  including  fracking 

nuclear  power  stations  •  Smart  grids 

•  Biofuels  •  Solar  energy  technology 

•  Energy-efficient  industries  •  Wind  turbines 

Biotechnology 

•  Advanced  medical  devices  •  Biopharmaceuticals 

•  Biomanufacturing  and  chemical  •  Genetically  modified  organisms 

manufacturing  •  Infectious  disease  treatment 

•  Biomaterials  •  New  vaccines  and  drugs 

Defense 

Technology 

•  Aerospace  &  Aeronautic  Systems  •  Marine  Systems 

•  Armaments  •  Radar 

•  Optics 

Environmental 

Protection 

•  Batteries  •  Hybrid  and  electric  cars 

•  Energy-efficient  appliances  •  Waste  management 

•  Green  building  materials  •  Water/air  pollution  control 

High-End 

Manufacturing 

•  3D  printing  •  High-end  computer  numerically 

•  Advanced  robotics  controlled  machines 

•  Aircraft  engines  •  High-performance  composite  materials 

•  Aviation  maintenance  •  High-performance  sealing  materials 

and  service  sectors  •  Integrated  circuit  manufacturing  equipment  and 

•  Civilian  aircraft  assembly  technology 

•  Electric  motors  •  Space  infrastructure  and  exploration  technology 

•  Foundational  manufacturing  •  Synthetic  rubber 

equipment 

Information  and 

Communications 

Technology 

•  Artificial  intelligence  •  Network  equipment 

•  Big  data  analysis  •  Next-generation  broadband  wireless 

•  Core  electronics  industries  communications  networks 

•  E-commerce  services  •  Quantum  computing  and  communications 

•  Foundational  software  products  •  Rare-earth  materials 

•  High-end  computer  chips 

•  Internet  of  Things 

III.  Emerging  Threats 


A  range  of  other  potentially  disruptive  threats  warrant  attention.  Software  supply  chain  infiltration 
has  already  threatened  the  critical  infrastructure  sector  and  could  threaten  other  sectors  as  well. 
Meanwhile,  new  foreign  laws  and  increased  risks  posed  by  foreign  technology  companies  due  to 
their  ties  to  host  governments,  may  present  U.S.  companies  with  previously  unforeseen  threats. 

Cyber  threats  will  continue  to  evolve  with  technological  advances  in  the  global  information 
environment.  The  following  are  emerging  areas  of  concern  that  are  likely  to  disrupt  security 
procedures  and  expand  the  opportunities  for  collection  of  sensitive  U.S.  economic  and 
technology  information. 

Software  Supply  Chain  Operations 


Last  year  represented  a  watershed  in  the  reporting  of  software  supply  chain  operations.  In  2017, 
seven  significant  events  were  reported  in  the  public  domain  compared  to  only  four  between  2014 
and  2016.  As  the  number  of  events  grows,  so  too  are  the  potential  impacts.  Hackers  are  clearly 
targeting  software  supply  chains  to  achieve  a  range  of  potential  effects  to  include  cyber  espionage, 
organizational  disruption,  or  demonstrable  financial  impact: 


•  Floxif  infected  2.2  million  worldwide 
CCleaner  customers  with  a  backdoor.  The 
hackers  specifically  targeted  18  companies 
and  infected  40  computers  to  conduct 
espionage  to  gain  access  to  Samsung, 
Sony,  Asus,  Intel,  VMWare,  02,  Singtel, 
Gauselmann,  Dyn,  Chunghwa  and  Fujitsu. 

•  Hackers  corrupted  software  distributed  by 
the  South  Korea-based  firm  Netsarang, 
which  sells  enterprise  and  network 
management  tools.  The  backdoor  enabled 
downloading  of  further  malware  or  theft  of 
information  from  hundreds  of  companies  in 
energy,  financial  services,  manufacturing, 
pharmaceuticals,  telecommunications,  and 
transportation  industries. 

•  A  tweaked  version  of  M.E.  Doc  was 
infected  with  a  backdoor  to  permit  the 
delivery  of  software  from  the  Ukrainian 
accounting  firm  a  destructive  payload 


disguised  as  ransomware.This  attack, 
which  was  attributed  to  Russia,  paralyzed 
networks  worldwide,  shutting  down  or 
affecting  operations  of  banks,  companies, 
transportation,  and  utilities.  The  cost  of 
this  attack  to  FedEx  and  Maersk  was 
approximately  $300  million  each. 

•  A  malware  operation  dubbed  Kingslayer, 
targeted  system  administrator  accounts 
associated  with  U.S.  firms  to  steal 
credentials  in  order  to  breach  the  system 
and  replace  the  legitimate  application  and 
updates  with  a  malware  version  containing 
an  embedded  backdoor.  Although  it  is  not 
known  which  and  how  many  firms  were 
ultimately  infected,  at  least  one  U.S.  defense 
contractor  was  targeted  and  compromised. 


Foreign  Laws  Could  Enable  Intellectual  Property  Theft 


New  and  enhanced  cyber,  national  security,  and  import  laws  in  effect  in  foreign  countries  are  posing 
an  increasing  risk  to  U.S.  technology  and  propriety  information.  For  example,  in  2017,  China  and 
Russia  aggressively  enforced  laws  that  bolstered  their  domestic  companies  at  the  expense  of 
U.S.  companies  and  also  might  allow  their  companies  access  to  U.S.  intellectual  property  and 
proprietary  information. 

In  2017,  China  put  into  effect  a  new  cyber  security  law  that  restricts  sales  of  foreign  information  and 
communication  technology  (ICT)  and  mandates  that  foreign  companies  submit  ICT  for  government- 
administered  national  security  reviews.  The  law  also  requires  that  firms  operating  in  China  store  their 
data  in  China,  and  it  requires  government  approval  prior  to  transferring  data  outside  China.  The  U.S. 
Chamber  of  Commerce  has  gone  on  record  to  explain  that  if  a  foreign  company  is  forced  to  localize 
a  valuable  set  of  data  or  information  in  China,  whether  for  research  and  development  purposes 
or  simply  to  conduct  its  business,  it  will  have  to  assume  a  significant  amount  of  risk.  Its  data  or 
information  may  be  misappropriated  or  misused,  especially  given  the  environment  in  China,  where 
companies  face  significant  legal  and  other  uncertainties  when  they  try  to  protect  their  data 
and  information. 


Required  Steps  for  U.S.  Companies  to  Do  Business  in  China 
Pass  National  Security  Reviews  for  Technology  and  Services 

▼ 

2  Store  All  Data  in  China 

▼ 

3  Form  Joint  Venture  to  Open  Data  Center 

▼ 

tyj,  Obtain  Government  Approval  for  Data  Transfers 

▼ 

0  Buy  Government-Approved  Encryption  and  Virtual  Private  Networks  (VPNs) 
^  China  has  Access  to  U.S.  Intellectual  Property  and  Proprietary  Information 


Similarly,  in  recent  years  Russia  has  dramatically  increased  its  demand  for  source  code  reviews  for 
foreign  technology  being  sold  inside  the  country.  Russia's  Federal  Security  Service  (FSB),  associated 
with  economic  espionage  missions  in  the  past,  serves  as  the  authority  charged  with  directing  these 
source  code  reviews  and  approving  the  sale  of  technology  products  and  services  sold  inside  Russia. 

FHigh  intelligence  threat  countries,  such  as  China  and  Russia,  could  exploit  these  laws  to  significantly 
improve  their  access  to  the  intellectual  property  of  foreign  companies  operating  in  their  countries  and 
subsequently  share  this  sensitive  information  with  domestic  firms. 

Foreign  Technology  Companies  with  Links  to  Host  Governments 


Foreign  information  and  communications  technology  companies  are  often  subject  to  foreign  state 
influence.  This  presents  a  risk  to  U.S.  trade  secrets  and  intellectual  property.  These  companies 
provide  valuable  services  that  often  require  access  to  the  physical  and  logical  control  points  of  the 
computers  and  networks  they  support.  These  unique  accesses  also  present  an  opportunity  for 
foreign  countries  to  obtain  sensitive  proprietary  information.  Recent  events  underscore  the  potential 
risks  posed  by  technology  companies  that  have  links  to  foreign  governments  with  high  threat 


intelligence  services: 

•  Recent  Chinese  laws — including  laws  on 
national  security  and  cybersecurity — provide 
Beijing  a  legal  basis  to  compel  technology 
companies  operating  in  China  to  cooperate 
with  Chinese  security  services. 

•  In  September  2017,  the  Department  of 
Flomeland  Security  issued  a  directive  to 
Federal  departments  and  agencies  to  remove 
Kaspersky  Lab  products  and  services  based 
on  the  information  security  risks  posed  by 
the  company  and  its  links  to  Russia. 


•  In  December  2017,  the  Department  of 
Justice  made  public  an  agreement  with 
Netcracker  Technology  Corp.  that  resulted 
in  the  company  agreeing  that  it  would  not 
store  sensitive  information  and  data  from  its 
U.S. -based  technology  clients  in  overseas 
locations,  including  most  notably  Russia. 
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Annex  —  Decreasing  the  Prevalence  of  Economic  or 
Industrial  Espionage  in  Cyberspace 

The  U.S.  Government  (USG)  continues  to  undertake  numerous  actions  to  counter  economic 
espionage  in  cyberspace.  Perhaps  most  evident  are  current  USG  efforts  to  protect  critical 
infrastructure  and  other  sensitive  computer  networks  from  malicious  cyber  activities.  The  USG 
also  continues  to  work  with  the  private  sector  to  address  science  and  technology  gaps  through 
cyber  research  and  development  as  a  way  of  mitigating  the  malicious  activities  of  threat  actors  in 
cyberspace.  The  USG  will  continue  to  improve  its  efforts  to  disrupt,  deny,  exploit,  or  increase  the 
costs  of  foreign  cyber  operations  that  are  targeting  the  nation's  most  critical  economic  assets. 

Examples  of  USG  actions  include  the  following: 

•  Sharing  information  about  cyber  threats,  vulnerabilities,  and  other  risks; 

•  Promoting  best  practices,  risk  assessments,  and  capability  development; 

•  Improving  our  responses  to  cyber  incidents; 

•  Building  and  driving  the  market  towards  a  more  secure  cyber  ecosystem;  and 

•  Partnering  with  allies  to  address  cyber  issues. 

The  USG  has  the  capability  to  impose  costs  on  adversaries  who  engage  in  economic  cyber 
espionage  through  various  actions,  including  diplomatic,  informational,  military,  law  enforcement, 
and  economic  response.  The  details  of  many  of  these  actions  are  too  sensitive  to  discuss  in  this 
publication;  however,  we  have  provided  a  few  general  examples  that  illustrate  the  USG's  response, 
such  as: 

•  Public  statements  and  attribution; 

•  Diplomatic  demarches; 

•  Economic  sanctions;  and 

•  Law  enforcement  actions. 
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